Is it possible to manually enroll a computer certificate on a domain joined computer while logged on as LOCAL\Administrator?
I've tried through MMC and PowerShell using Get-Certificate, but both methods look as though I don't have rights to the templates authorized to this computer's AD Group while logged on as LOCAL\Administrator. (Works fine with DOMAIN\User)
I've tried with various RunAs methods (MMC RunAs DOMAIN\User, Get-Certificate -Credential, etc.) with no change in behavior.
If I enable Auto-Enroll for the AD Group containing the Computer (instead of just Read/Enroll) the certificate is provisioned fine, but for the scripted process I'm using, I only want this certificate enrolled one time so I can export it with it's private key, then delete it from the CertStore.
My process (in case I'm going about this all wrong) is to enroll and export the SCCM Distribution Point certificates as part of a MDT Task Sequence to build SCCM Distribution Points. I have %99 of this complete scripted now, except this one last piece that only works when a DOMAIN\User is logged on.
I don't see anything in the template security that would prevent a local\Administrator from provisioning the COMPUTER certificate.
It is possible one of the other admins added some kind of security to the CA or a GPO exists that is preventing this but I'm not sure where to look.
Anyone have any ideas?
There's no place like 127.0.0.1